Allow to manage credential files contents

Running keystone-manage credential_setup has not been designed for multinode environment. Keystone team suggests to run this command on one node, to export the keys and collect them on every Keystone server. Most of people don't have this mechanism when deploying OpenStack. This patch aims to allow to use puppet-keystone to manage credential files using Puppet file resource. All credentials would be defined in a hash where file path and content is defined. Here is an example: credential_keys: /etc/keystone/credential-keys/0: content: t-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI= /etc/keystone/credential-keys/1: content: GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8= To enable this feature, you'll need to set enable_credential_setup to True and configure credential_keys with a valid hash. Change-Id: Ic335ea201b58c99e9fd8a0a2c0865b461ff8f672
2016-09-06 18:13:32 -04:00 · 2016-09-06 18:13:32 -04:00 · 17675623f3
parent 5269d97fd9
commit 17675623f3
3 changed files with 74 additions and 13 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -425,9 +425,12 @@
 #   Defaults to $::os_service_default
 #
 # [*enable_credential_setup*]
-#   (Optional) Setup keystone for credentials. This is typically only
-#   run on a single node, then the credentials are replicated to the other nodes
-#   in a cluster.
+#   (Optional) Setup keystone for credentials.
+#   In a cluster environment where multiple Keystone nodes are running, you might
+#   need the same keys everywhere; so you'll have to set credential_keys parameter in
+#   order to let Puppet manage Keystone keys in a consistent way, otherwise
+#   keystone-manage will generate different set of keys on keystone nodes and the
+#   service won't work.
 #   This feature was added at the end of Newton. The default value is now False
 #   by default but will switch to True once UCA will have latest Keystone version.
 #   Defaults to False
@ -437,6 +440,20 @@
 #   be set if enable_credential_setup is set to true.
 #   Defaults to '/etc/keystone/credential-keys'
 #
+# [*credential_keys*]
+#   (Optional) Hash of Keystone credential keys
+#   If you enable this parameter, make sure enable_credential_setup is set to True.
+#   Example of valid value:
+#   credential_keys:
+#     /etc/keystone/credential-keys/0:
+#       content: t-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=
+#     /etc/keystone/credential-keys/1:
+#       content: GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=
+#   Puppet will create a file per key in $credential_key_repository.
+#   Note: defaults to false so keystone-manage credential_setup will be executed.
+#   Otherwise Puppet will manage keys with File resource.
+#   Defaults to false
+#
 # [*enable_bootstrap*]
 #   (Optional) Enable keystone bootstrapping.
 #   Per upstream Keystone Mitaka commit 7b7fea7a3fe7677981fbf9bac5121bc15601163
@ -689,6 +706,7 @@ class keystone(
  $fernet_max_active_keys               = $::os_service_default,
  $enable_credential_setup              = false,
  $credential_key_repository            = '/etc/keystone/credential-keys',
+  $credential_keys                      = false,
  $default_domain                       = undef,
  $member_role_id                       = $::os_service_default,
  $member_role_name                     = $::os_service_default,
@ -1086,16 +1104,26 @@ class keystone(
      subscribe => Anchor['keystone::install::end'],
    })

-    exec { 'keystone-manage credential_setup':
-      command     => "keystone-manage credential_setup --keystone-user ${keystone_user} --keystone-group ${keystone_group}",
-      path        => '/usr/bin',
-      user        => $keystone_user,
-      refreshonly => true,
-      creates     => "${credential_key_repository}/0",
-      notify      => Anchor['keystone::service::begin'],
-      subscribe   => [Anchor['keystone::install::end'], Anchor['keystone::config::end']],
-      require     => File[$credential_key_repository],
-      tag         => 'keystone-exec',
+    if $credential_keys {
+      validate_hash($credential_keys)
+      create_resources('file', $credential_keys, {
+          'owner'     => $keystone_user,
+          'group'     => $keystone_group,
+          'subscribe' => 'Anchor[keystone::install::end]',
+        }
+      )
+    } else {
+      exec { 'keystone-manage credential_setup':
+        command     => "keystone-manage credential_setup --keystone-user ${keystone_user} --keystone-group ${keystone_group}",
+        path        => '/usr/bin',
+        user        => $keystone_user,
+        refreshonly => true,
+        creates     => "${credential_key_repository}/0",
+        notify      => Anchor['keystone::service::begin'],
+        subscribe   => [Anchor['keystone::install::end'], Anchor['keystone::config::end']],
+        require     => File[$credential_key_repository],
+        tag         => 'keystone-exec',
+      }
    }
  }

--- a/releasenotes/notes/keystone-credential-setup-0971292cf1b0bde7.yaml
+++ b/releasenotes/notes/keystone-credential-setup-0971292cf1b0bde7.yaml
@ -6,3 +6,6 @@ features:
    management of credential directory, keystone-manage credential_setup execution (can
    be enabled with enable_credential_setup boolean) and the configuration of
    credential/key_repository in keystone.conf.
+    Note, if credential_keys parameter is set to a valid hash, keystone-manage won't
+    be used to generate credential keys but Puppet will manage file resources for each
+    key in the hash. It allows to generate the same keys in multinode environment.
--- a/spec/classes/keystone_spec.rb
+++ b/spec/classes/keystone_spec.rb
@ -947,6 +947,36 @@ describe 'keystone' do
      ) }
    end

+    describe 'when setting credential_keys parameter' do
+      let :params do
+        default_params.merge({
+          'enable_credential_setup' => true,
+          'credential_keys' => {
+            '/etc/keystone/credential-keys/0' => {
+              'content' => 't-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=',
+            },
+            '/etc/keystone/credential-keys/1' => {
+              'content' => 'GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=',
+            },
+          }
+        })
+      end
+
+      it { is_expected.to_not contain_exec('keystone-manage credential_setup') }
+      it { is_expected.to contain_file('/etc/keystone/credential-keys/0').with(
+        'content'   => 't-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=',
+        'owner'     => 'keystone',
+        'owner'     => 'keystone',
+        'subscribe' => 'Anchor[keystone::install::end]',
+      )}
+      it { is_expected.to contain_file('/etc/keystone/credential-keys/1').with(
+        'content'   => 'GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=',
+        'owner'     => 'keystone',
+        'owner'     => 'keystone',
+        'subscribe' => 'Anchor[keystone::install::end]',
+      )}
+    end
+
    describe 'when disabling credential_setup' do
      let :params do
        default_params.merge({